Add tls.enabled toggle to make TLS volume mount and VAULT_CACERT conditional

[anatoly314]

Problem

When tls_disable: true is set in the Vault listener config, the chart still unconditionally:

1. Mounts a vault-tls Secret at /vault/tls on all containers (vault, vault-unsealer, vault-configurer)
2. Sets VAULT_CACERT=/vault/tls/ca.crt on all containers
3. Generates random TLS certificates via genCA/genSignedCert (unless tls.secretName or cert-manager is configured)

There is no way to disable this behavior. The chart acknowledges tls_disable for HTTP/HTTPS probe scheme selection in statefulset.yaml, but doesn't carry that logic through to the volume mount, env var, or cert generation.

Impact

• ArgoCD drift: genCA/genSignedCert produce new random certs on every helm template render. This causes perpetual OutOfSync on both the vault-tls Secret and the StatefulSet (via its checksum/config annotation, which hashes the entire secret.yaml output including cert data). This is a well-known Helm + ArgoCD issue.
• Unnecessary resources: When TLS is disabled, the cert Secret, volume mount, and env var serve no purpose.

Current workaround

Set tls.secretName: "vault-tls" to skip cert generation, then provide a static Secret with dummy cert data to satisfy the unconditional volume mount. This works but requires maintaining an otherwise pointless Secret manifest.

Proposed solution

Add a tls.enabled toggle (defaulting to true for backward compatibility) that wraps:

1. The cert generation block in secret.yaml (line 1)
2. The vault-tls volume definition in statefulset.yaml (~line 312)
3. The vault-tls volumeMount in all three containers
4. The VAULT_CACERT env var in all three containers

Alternatively, the chart could read vault.config.listener.tcp.tls_disable (which it already references for probe schemes) and skip TLS provisioning when it's true.

Affected templates

• vault/templates/secret.yaml — lines 1-26 (cert generation)
• vault/templates/statefulset.yaml — lines 84-85, 150-151, 165-166, 192-193, 207-208, 232-233 (VAULT_CACERT + volumeMount), lines 312-320 (volume definition)

Environment

• Chart version: v1.21.1
• Vault image: hashicorp/vault:1.17.6
• GitOps tool: ArgoCD

[anatoly314]

Additional finding: VAULT_CACERT is parsed eagerly by the Vault Go client during initialization, even when VAULT_ADDR is HTTP. The x509.CertPool.AppendCertsFromPEM() call happens unconditionally when VAULT_CACERT is set, so the file at /vault/tls/ca.crt must contain valid PEM data — not just exist on disk.

This means placeholder/dummy content in the TLS Secret (like data: {} or stringData: { ca.crt: "unused" }) will crash the vault-unsealer and vault-configurer sidecars with:

ERROR error connecting to vault: Error loading CA File: Couldn't parse PEM in: /vault/tls/ca.crt

The workaround requires actual self-signed certificates, making the tls.secretName approach more cumbersome than it needs to be. A tls.enabled: false toggle that removes both the volume mount and VAULT_CACERT env var would be the cleanest solution.